<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org">
<div th:replace="~{commons/commons::head}"></div>

<body>
<!-- 顶部导航栏 -->
<div th:replace="~{commons/commons::topbar}"></div>

<div class="container-fluid">
    <div class="row">
        <!-- 侧边栏 -->
        <div th:replace="~{commons/commons::siderbar(active='fastjson.html')}"></div>

        <main role="main" class="col-md-9 ml-sm-auto col-lg-10 pt-3 px-4">
            <div class="vul_header">
                <span>组件漏洞 - Fastjson反序列化</span>
            </div>
            <hr>
            <ul class="nav nav-tabs">
                <li class="nav-item">
                    <a class="nav-link active" data-toggle="tab" href="#aa"><span class="lnr lnr-bug"></span> 漏洞描述</a>
                </li>
                <li class="nav-item">
                    <a class="nav-link" data-toggle="tab" href="#bb"><span class="lnr lnr-bullhorn"></span> 安全编码</a>
                </li>
            </ul>

            <div class="tab-content">
                <div class="tab-pane dec shadow-sm p-3 mb-4 rounded active" id="aa">
                    fastjson是阿里巴巴的开源JSON解析库，它可以解析JSON格式的字符串，支持将Java Bean序列化为JSON字符串，也可以从JSON字符串反序列化到JavaBean，历史上存在多个反序列化漏洞。
                </div>
                <div class="tab-pane fade" id="bb">
                    <textarea disabled="disabled" class="form-control shadow-sm p-3 mb-5 rounded" id="coder" style="height: 140px;">
方案一、对于第三方依赖组件，需要及时更新版本
方案二、通过配置以下参数开启 SafeMode 来防护攻击：ParserConfig.getGlobalInstance().setSafeMode(true)
                    </textarea>
                </div>
            </div>

            <hr>


            <div class="box-float">
                <div class="float1">
                    <form style="float:right" onsubmit="submitJSON()">
                        <input class="btn btn-sm btn-danger" type="submit" value="运行">
                    </form>
                    <h5><span class="lnr lnr-bug"> 漏洞代码</span></h5>

                    <textarea class="form-control" id="code1">
// 使用低版本并且用到反序列化

public String vul(@RequestBody String content) {
    Object obj = JSON.parse(content);
    return obj.toString();
}

<dependency>
    <groupId>com.alibaba</groupId>
    <artifactId>fastjson</artifactId>
    <version>1.2.24</version>
</dependency>
                    </textarea>

                </div>

                <div class="float2">

                    <h5><span class="lnr lnr-smile"> 安全代码</span></h5>
                    <textarea class="form-control" id="code2">
// 在1.2.68之后的版本，Fastjson增加了safeMode的支持，开启后可完全禁用autoType，注意评估对业务的影响。
// https://github.com/alibaba/fastjson/wiki/fastjson_safemode

public String safe1(@RequestBody String content) {
    ParserConfig.getGlobalInstance().setSafeMode(true);
    Object obj = JSON.parse(content);
    return obj.toString()
}

<dependency>
    <groupId>com.alibaba</groupId>
    <artifactId>fastjson</artifactId>
    <version>最新版</version>
</dependency>
                    </textarea>
                </div>

            </div>
        </main>
    </div>
</div>

<!-- 引入script -->
<div th:replace="~{commons/commons::script}"></div>

<script>
    function submitJSON() {
        const json = JSON.stringify({
            "@type": "com.best.hello.entity.Person",
            "age": 19,
            "id": 2,
            "name": "test"
        });
        const xhr = new XMLHttpRequest();
        xhr.open('POST', '/Fastjson/vul', true);
        xhr.setRequestHeader('Content-Type', 'application/json');
        xhr.send(json);
    }
</script>


</body>

</html>